EU regulators ask Google to change privacy policy

PARIS (AP) — European regulators have asked Google to clarify its new privacy policy and make it easier for users to opt out of it because of concerns that the web giant may be collecting too much data and holding it for too long.

France's data protection agency led a European investigation into Google's new unified privacy policy, which replaces individual policies for its search, email and other services, and regulates how it uses the personal data it collects. The policy allows Google to combine data collected from one person using its disparate services, from Gmail to YouTube.

That gives Google a powerful tool for targeting the user with advertising based on his or her interests and search history. Advertising is the main way the company makes its money.

The collection of data is not just limited to people with accounts to Google applications. The web giant can collect information from anyone who visits a website that has a link to its services — for example, a Google map posting. The French agency said that of the top 500 most-visited sites in France, 90 percent had a link with Google.

With that kind of power, comes responsibility, the agency said.

The agency outlined three main concerns about the new policy: it's not clear enough in explaining to users what data is collected and how it will be used; it's too difficult for users to opt out of data collection and combination; and Google doesn't always say how long it will hold onto data.

The agency also noted that, under the new policy, Google doesn't differentiate between data collected, so a search term and a credit card number are treated the same and can be used for any purpose stated in the policy.

The agency, called the French National Commission on Computing and Freedom, was careful to note that it wanted to work with Google to change the policy.

"You have to understand the approach of the data protection authorities: It's not to make war with Google and to stop all innovation," said Isabelle Falque-Pierrotin, the French agency's president.

This is not the first time Google has run afoul of regulators. In August, the company agreed to pay a $22.5 million fine to settle a suit brought by the U.S. Federal Trade Commission.

The U.S. regulator alleged that Google broke a promise not to track Web surfers who use Apple's Safari browser, as long as they didn't change the browser settings to permit the tracking. As part of a separate anti-trust investigation, the commission is also looking into whether Google abused its dominance of Internet search to stifle competition and drive up online advertising prices.

European regulators want Google to flesh out the vague parts of its policy, tailor the way it uses data to the kind of data collected and, in general, make it easier for users to wriggle out of the wide net it has cast.

In one example cited, regulators said that in order to opt out of targeted advertising, users have to take six actions — and that's just one part of Google's universe that the privacy policy touches.

All of these concerns and suggestions were sent to Google in a letter Tuesday, although the findings were presented to Google representatives last month. Data protection authorities in all 27 European Union countries signed the letter.

Google's global privacy counsel, Peter Fleischer, said the company is reviewing the commission's report but believes its policy respects European law.

Falque-Pierrotin, of the French authority, said that Google would have three to four months to respond but that there wasn't a firm deadline.

"We haven't asked Google to go back to its old policy," she told reporters. "We've asked it to complete and clarify it on a certain number of points."

If it fails to comply, she said regulators could move into a more "contentious phase" — but wasn't clear on exactly what that would entail. Data regulators in many of the countries represented have the power to fine companies, but the response would vary by country.

Falque-Pierrotin said she expected there to be a dialogue between the regulators and Google, although she chided the company for responding vaguely to many of the questions asked during the investigation.

In fact, the report occasionally says it's unclear exactly what Google's privacy policy is — and asks the company to state that it respects the broad principles of privacy protection, such as minimizing the amount of data collected, using it for narrow purposes and protecting the user's right to object.

"Unless people are aware just how much of their behavior is being monitored and recorded, it is impossible to make an informed choice about using services," said Nick Pickles, director of privacy campaign group Big Brother Watch.

At a Google data privacy conference in Berlin, a top EU data privacy official pointed to "a trust crisis" in Europe when it comes to privacy issues and put the onus on the U.S. Internet giant to respond.

"Google must act now," said Paul F. Nemitz, European Commission director for Fundamental Rights and Citizenship. "We need to have a situation where data privacy is taken seriously."

Nemitz also defended a proposal by EU Justice Commissioner Viviane Reding to raise the maximum penalties on privacy matters from €600,000 currently to 2 percent of a company's global sales.

"This will ensure that privacy is also taken seriously in board rooms," he said.

Raphael Satter in London and Juergen Baetz in Berlin contributed to this report.